PRIMALITY TESTS FOR - 1 USING ELLIPTIC 

CURVES 



YU TSUMURA 

Abstract. We propose some primality tests for 2''n — 1, where k, 
n £ Z, k > 2 and n odd. There are several tests depending on how 
big n is. These tests are proved using properties of eUiptic curves. 
EssentiaUy, the new primahty tests are the eUiptic curve version of 
the Lucas-Lehnier-Ricsel primahty test. 



1. Note 

An anonymous referee suggested that Benedict H. Gross already 
proved the same result about a primality test for Mersenne primes 
using elliptic curve in [1]. 

2. Introduction. 

There are mainly two types of primality tests. One of them ap- 
plies to any integer and the other applies only to a special form of 
integer. Usually the latter is faster than the former because of its addi- 
tional information. Among them, the Lucas-Lehmer primality test for 
Mersenne numbers Mk = 2*^ — 1 is very fast. The test uses a sequence 
Si defined by S'o = 4 and 5*,+! = 5*^ — 2 for i > 1. The primality test 
is that Mfc is prime if and only if divides Sk-2- For a proof, see 
for example [2]. Also see P and [8j for applications of the Lucas se- 
quence for other primality tests. There is also a generalization of this 
test called the Lucas-Lehmer-Riesel test which applies to integers of 
the form 2^n — 1 with n <2^ (see [6j and [8]). This test also uses the 
sequence Si defined by the above recursion but with a different initial 
value S'o depending k and n. 

In this paper we give several primality tests for integers of the form 
2^n — l using elliptic curves. When n is relatively small as in the Lucas- 
Lehmer-Riesel test, the primality test can be regarded as an analogue 
of the Lucas-Lehmer-Riesel test. The new test also uses a sequence 
defined by recursion. For the initial value, we need to take a proper 
elliptic curve and a point on it. This corresponds to the choice of an 
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initial value in the Lucas-Lehmer-Reisel test. However, when the new 
test applies to Mersenne numbers 2^^ — 1, there exist an elliptic curve 
and a point on it which are independent of k. 

Now let us define the sequence. Let p = 3 (mod 4) be a prime 
number and let E be an elliptic curve defined by y"^ = — mx for 
some integer m ^ (mod p). Fix a point Q = {x,y) G E(Wp) and 
denote = {xi, yi) for i > 0. On this curve, multiplication of a point 
by 2 is described as 

f x'^ + 2mx'^ + rn^ , .\ ( f x^ + m\'^ , /\ 
<^-^) ^<^-^' = ( 4(x3-,„.) -^^W) = [[—) -^^f^' j 

for some rational function R{x). (See Example 2.5, page 52 in 
Let us define a sequence St. Let 5*0 = a; and S'j = 4(xf„i — mxj„i) for 
i > 1, that is, 5*4 is the denominator of 2*Q when i > 1. Alternatively, 
we could omit a constant 4 in the definition of Si. We refer to this 
sequence as the sequence Si with the initial value Q = {x,y), or with 
the initial value x. Note that Si depends only on x and i. {Si also 
depends on m. However, it will be clear from the context which m is 
used.) 

3. Group structure of E{¥p). 

First, we analyze the structure of the group E{¥p), where E is an 
elliptic curve defined by y"^ = x^ — mx for some integer m ^ (mod p) 
and p = 3 (mod 4) is a prime number. Assume p + 1 = 2^n, where 
/c G Z, > 2 and n is an odd integer. 

Theorem 3.1. In this context, ^E{¥p) =p+l. 

Proof. See Theorem 4.23, page 115 in □ 

Theorem 3.2. In this context, 

E{¥p) = Z^k^ or Z2 © Z2fe-i„ 

depending on whether m is a non-quadratic residue or a quadratic 
residue modulo p. 

Proof. By Theorem 13. Ij we have ^E{¥p) = p + 1 = 2^n. Hence 
E{¥p) = Z2(i„i©Z2/3„2 for some ni, n2, a, /5 G Z with a < [3 and a+(3 = 
k and ni\n2 and nin2 = n. However, in general, 2"ni must divide p — 1 
by the group structure of elliptic curves. (See Theorem 4.3 and 4.4, 
page 98 in ^Zj.) Note that gcd(#E(Fp),p - 1) = gcd(j9 + l,p - 1) = 2. 
Therefore ni = 1 and n2 = n. 
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If m is a quadratic non-residue (with Jacobi notation, y^j = 

then only one root of — mx is in ¥p. Hence E[2] ^ E{¥p). Therefore 
a = and E{¥p) = Zg^^. 

If = 1, then ^/m E ¥p. Hence all the roots of x^ — mx are in ¥p. 

Hence E[2] C E{¥p). So a > 1. Since p-l = 2 (mod p) and 2°|p - 1, 
we have a = 1. Therefore E{¥p) = Z2 © Z2fc-i„. 

□ 

The next theorem is essential to choose an initial value. 

Theorem 3.3. Let p = 3 (mod 4) be prime and let E be an elliptic 
curve defined byy"^ = x^ — mx for some integer m. Assume p+1 = 2^n, 
where k eT,, k >2 and n is an odd integer. Suppose m is a quadratic 
non-residue modulo p. If Q = {x,y) G E and x is a quadratic non- 
residue, then Q has order divisible by 2^ m the cyclic group E{¥p) = 

Z2ft„. 

Proof. Since m is a quadratic non-residue, E{¥p) = Z2fe„ by Theorem 
I3.2[ Hence E(¥p) is cyclic. Let G be a generator of this group and let 
tG = Q for an integer t. 

We show that Q = {x,y) ^ 2E(¥p). Suppose {x,y) = 2(xo,?/o) for 
a point {xo,yo) G E(¥p). Then by equation 12. we have x = ((xq + 
m) / {2y)Y. Hence x is a square in Fp, which contradicts the assumption 
that X IS cL quadratic non-residue modulo p. So Q = {x,y) ^ 2E{¥p). 

Therefore t is odd and then Q has order divisible by 2^. 

□ 

4. Primality test for p = 2^n - 1 when n is small. 

Using Theorem 13.31 we give primality tests for integers of the form 
p = 2^n — 1, where /c, n G Z, A; > 2 and n is an odd integer. There are 
two primality tests. We distinguish them by the relative size of n when 
compared with 2^^. First, let us discuss the case when n is relatively 
small. 

Theorem 4.1. Fix A > 1. Suppose p = 2^n — 1 with k >2 and an odd 
integer n < y/p/X. Assume p is not so small. More precisely, assume p 
satisfies \^/p > (p^^^ + 1)^. Let E be a curve defined by y"^ = x^ — mx, 
where m is a quadratic non-residue module p. Then p is prime if and 
only if there exists a point Q = {x, y) on E such that 

gcd{Si,p) = 1 

for i = 1, 2, . . ., k — 1 and 

Sk = (modp). 
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where Si is a sequence with the initial value Sq = x. 

Proof. Suppose p is prime. Then by Theorem l3.2l E{¥p) = Z2fc„. Then 
E{¥p) has a point Q = {x,y) of order 2^^. Hence Si, with the initial 
value this x, satisfies the conditions of the theorem since Si is the 
denominator of 2^Q. 

Conversely, suppose there exists Q which satisfies the conditions. 
Assume p is composite and let r be a prime divisor such that r < y^. 
Then we have gcd(5'i,r) = 1 for z = 1, 2, . . ., — 1 and Sk = 
(mod r). Hence in the reduction E{¥r), Q has an order > 2^. Using 
the condition on n, we have 

AVp < p/n < 2^= < #^(F,) < (v^ + 1)2 < (p^/^ + 1)2 

Here the third inequality is by Hasse's Theorem. However, we assumed 
that this does not happen. Therefore p is prime. 

□ 

To make Theorem 14.11 into a primality test, we need to find a point 
Q in the theorem. To this end we use Theorem 13.31 Let us first state 
the algorithm. 

Algorithm. Let p be an integer of the form p = — 1 with k > 2 
and p, n satisfy the conditions of Theorem 14. 1[ To check whether p is 
prime, do the following steps. 

(1) Take x G Z such that (^|) = -1 and find y such that = 

1. Let m = {x^ — y'^)/x mod p. Then Q' = {x,y) lies on the 
curve E : y'^ = x^ — mx, where m ^ (mod p). The following 
calculation is done in E{Zp). Let Q = nQ'. If Q = oo, then p 
is composite. If not, go to Step 2. 

(2) Let Si be the sequence with the inital value Q. Calculate Si for 
i = 1, 2, . . ., k — 1 . If gcd{Si,p) > 1 for some i, 1 < i < k — 1, 
then p is composite. If gcd{Si,p) = 1 for i = 1, 2, . . ., /c — 1, 
then go to Step 3. 

(3) If Sfc = (mod p), then p is prime. If not, p is composite. 

Let us check why this algorithm works. In Step 1, we find an elliptic 
curve E : y"^ = x^ — mx and a point Q on E whose x-coordinate is a 
quadratic non-residue. We have (^^) = (^M^^) = (^|) (^) = 

— 1 ■ 1 = — 1. Hence if p is prime, then Q' has order divisible by 2^ by 
Theorem 13.31 So the order of Q' is 2^d, where d\n. Hence Q = nQ' has 
order 2^^. Therefore if Step 1 concludes that p is composite, then p is 
really composite. Step 2 and Step 3 check if Q has order 2^. So if Step 
2 or Step 3 concludes that p is composite, then p is really composite. 
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If the algorithm concludes p is prime, then S'l satisfies the conditions 
of Theorem 14.11 Therefore p is really prime. 

Remark 4.2. Since we know both coordinates of Q, we can calculate 
nQ quickly. 

Remark 4.3. Suppose this test concludes that p is composite because 
gcd{Si,p) > 1 for some i, l<i<k — lin Step 2. Then gcd{Si,p) 
might be a proper divisor of p though it might be p itself. This is 
the basic idea of the primahty testing using elliptic curves proposed by 
Goldwasser and Kilian (see |3]). 



Let us apply the above algorithm for Mersenne numbers = 2^ — 1. 
That is, we take n = 1 and suppose k > 3. In this case we do not have 
to choose the initial value and the elliptic curve as in Step 1. Note that 
since n = 1, the algorithm contains no elliptic curve calculation. Since 
Si can be calculated using only the x-coordinate, we do not need to find 
y. Actually, we can take E : y"^ = — 3x and a point Q with the x- 
coordinate —1. Let us check this. Suppose is prime. Since = 3 

(mod 4), we have = — {^) = ~1 by the quadratic reciprocity 

low. Hence we can take m = 3. Next, since Mk = —1 (mod 8), 



we have ( ^"^^ ) = (^7-) = 1. Hence ^2 G Fm.. Therefore 



In summary, the primality test for Mersenne numbers is the follow- 
ing. 

Algorithm for Mersenne numbers. 

Let p = 2'' — 1, k > 3. Let xq = —1, Xj+i = 4(^^^3^) modulo p for 

z > 0. Define Si = x'^^^ — 3xi-i modulo p for z > 1. 
To check the primality, do the following steps. 

(1) Calculate Si for i = 1, 2, k — 1 . If gcd{Si,p) > 1 for some 

1, I < i < k — 1, then p is composite. If gcd{Si,p) = 1 for i = 1, 

2, . . . , k — 1, then go to Step 2. 

(2) If Sfc = (mod p), then p is prime. If not, p is composite. 

Therefore, we get a primality test which is an analogue of the Lucas- 
Lehmer test. 

Remark 5.1. Note that for Mersenne numbers, the algorithm concludes 
that p is composite if and only if gcd(S'j, p) > 1 for some i,l < i < k — 1. 
Hence as mentioned above, it might find a proper divisor of p as a value 
of gcd{Si,p). 



5. Primality test for Mersenne numbers. 




Q = (-l,y2)eE(FMj. 
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6. Primality test for p = 2^n - 1 when n is large. 

Next, let us consider the case when n is relatively large. For this 
case, we assume n = g is prime for simplicity. 

Algorithm. Let p = 2^q — 1 with k > 2 and q prime. Fix A > 1 
and assume 2'^A < ^yp and A^yp > {p^^^ + 1)^. 

To check if p is prime or not, do the following steps. 

(1) Take x G Z such that ^| j = -1 and find y such that (^^-^^ = 

1. Let m = [x^ — y'^)/x mod p. Then Q = {x,y) lies on the 
curve E : y'^ = x^ — mx. Then the following calculation is done 
in E{Zp). 

(2) If 2''Q = oo, then go to Step 1 and take another y. If 2'^Q ^ oo, 
then go to Step 3. 

(3) If q{2^Q) = oo, then p is prime. If not, p is composite. 

Theorem 6.1. If we reach Step 3 in the above algorithm, it determines 
whether or not p is prime. 

Proof. We have = (^M^!!/^) = (^2) = -1 ■ 1 = -1. 

If p is prime, then by Theorem 13.21 we have E{¥p) = J^^^q- Since the 
x-coordinate of Q is a quadratic non-residue, the order of Q is divisible 
by 2!^ by Theorem 13. 3[ By Step 2, we know that 2^Q 7^ 00. Hence Q 
has order 2}^q. So if 2!^qQ 7^ 00, then p is not prime. 

Suppose we have q{2''Q) = 00 in Step 3 and p is composite. Let 
r be a prime divisor of p such that r < y^. Since 2^Q 7^ 00 and 
q{2^Q) = 00, Q has order divisible by q. Using the assumption on k, 
we have 

XVp < p/2'' <q< 4fE{¥r) < (v^ + ly < {p^'^ + 1)^ 

Here the third inequality is by the Hasse's Theorem. However, we 
assumed this inequality does not hold. Hence p is prime. □ 

Remark 6.2. Since we know Q = {x,y), we can use the method of 
successive doubling when we multiply integers. Hence it is calculated 
quickly. 

Remark 6.3. If we cannot proceed to Step 3, then this test will not 
stop. However, if q is large prime, then it is likely that Q has order 
2''q. So after doing Step 2 several times if we could not proceed to Step 
3, then it is likely p is composite. Then we need to use another test to 
check if it is really composite. Or we should use this test after checking 
that p is a probably prime by another test. 
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There exists a similar algorithm when n is not prime. However, the 
number of steps in the algorithm will increase. To see what happens, let 
us consider the case when n is a product of two primes. Let n = qiq2, 
where qi, q2 are (not necessarily distinct) primes. 

Algorithm. Let p = 2^qiq2 — 1, where k >2 and gi, q2 are primes. 
Fix A > 1 and assume < y/p and Xy/p > (p^/^ + 1)^. 

To check if p is prime or not, do the following steps. 

(1) Take x G Z such that ( - ) = -1 and find y such that (^-^\ = 



1. Let m = [x^ — y'^)/x mod p. Then Q = {x,y) lies on the 
curve E : y'^ = x"^ — mx. Then the following calculation is done 
in E{Zp). 

(2) If 2^Q = oo, then go to Step 1 and take another y. If 2''Q ^ oo, 
then go to Step 3. 

(3) If gi(2^Q) ^ oo and g2(2'=Q) ^ oo, then go to Step 4. Other- 
wise, go to Step 1 and take another y. 

(4) If qiq2{2^Q) = oo, then p is prime. If not, p is composite. 

The proof is almost the same as that of Theorem 16. II You can replace 
q in the proof of Theorem 16. II by qiq2- 

Remark 6.4. These tests in this section correspond to the primality 
tests using the factors of p + 1. (See pj). 
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